WhiteHat Security Web Application Security Risk Report Unveils Top Website Vulnerabilities

April 23, 2007; 07:00 AM
WhiteHat Security, the leading provider of website vulnerability management services, today released the second installment of its Web Application Security Risk Report, which details 15 months of vulnerability assessment data across a variety of real- world websites. The report unveils the top 10 website vulnerabilities facing enterprises, and identifies Web application security trends across financial, e-commerce, healthcare, and high-tech industries. The WhiteHat Report provides enterprises with a clear picture of current website security issues and details best practices for defending against
potential attacks.

WhiteHat Security's research confirms that the Web application layer requires proactive security as the number one target for malicious online attacks. In its December 2006 report, WhiteHat found that eight out of every 10 websites are vulnerable to attack. The Company's recent findings now indicate that one out of every three websites has an urgent vulnerability issue that could put online data and corporate brand identity at risk. The most prevalent vulnerability continues to be Cross-Site Scripting (XSS) with seven out of 10 websites being affected, followed by Information Leakage and Content Spoofing. SQL Injection and Insufficient Authorization also remain on the top 10 list, and if undiscovered can result in serious repercussions regarding highly sensitive information.

The WhiteHat Report notes a slight decrease in technical vulnerabilities such as XSS and SQL Injection. This may indicate that organizations are beginning to address the growing number and severity of website attacks. However, logical vulnerabilities such as insufficient authorization, where an attacker gains unauthorized access to protected sections of a website, have not decreased. This can be attributed in part to the fact that scanners alone do not pick up flaws affecting business logic and remediation may be more difficult. In order to ensure effective and complete vulnerability assessments, it is key to have security experts working in conjunction with the scanners. This combined approach unearths items that scanners are not equipped to catch and serves as a stronger safeguard in protecting against attacks.

As the issue of Web application vulnerability increases in severity and importance across industries, more enterprises have implemented WhiteHat Security's Sentinel Service to address their Web application security needs. WhiteHat Sentinel comprehensively and continuously assesses hundreds of real- world production and development websites per month to obtain a one-of-a-kind perspective into website vulnerability trends. As the only company with access to cumulative data of this magnitude and depth, WhiteHat is sharing its findings to provide enterprises with an all-encompassing view of the various attacks their websites may be susceptible to.

WhiteHat utilizes the Web Application Security Consortium (WASC) Threat Classification of 24 Web application vulnerability classes as its standard. This ensures comprehensive coverage of all known types of vulnerabilities. WhiteHat's approach to website vulnerability management combines a human component with patent-pending, enterprise-class scanning technology for identification of technical vulnerabilities, verified results to eliminate false positives, and custom testing with multiple user-levels to reveal business logic flaws.

"We are thrilled to reveal our second quarterly risk report offering further clarity on prevalent vulnerabilities affecting websites today," said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. "These statistics continue to provide an in-depth view of the attack landscape that enterprises currently face. As the amount of sensitive data housed online continues to grow, WhiteHat is committed to educating companies on how to proactively protect their websites through complete website vulnerability management."

WhiteHat plans to issue continued installments of the Web Application Security Risk Report on a quarterly basis. To ensure the report remains useful and relevant, WhiteHat incorporates feedback and ideas from leading industry thought leaders and influencers. Based on feedback already received, plans for future reports include: comparing website technology and frameworks; comparing vertical markets; average remediation times by vulnerability; trend vulnerability increases/decreases over time; and attack surface ratios of inputs to vulnerabilities.

About WhiteHat Security, Inc.

Headquartered in Santa Clara, California, WhiteHat Security is a leading provider of website vulnerability management services. WhiteHat delivers turnkey solutions that enable companies to secure valuable customer data, comply with industry standards and maintain brand integrity. WhiteHat Sentinel, the company's flagship service, is the only solution that incorporates expert analysis and industry-leading technology to provide unparalleled coverage to protect critical data from attacks. For more information about WhiteHat Security, please visit our website, http://www.whitehatsec.com/.